Exclusive: US security flaws exposed in Libya

The US Department of State has known for decades that inadequate security at embassies and consulates worldwide could lead to tragedy, but senior officials ignored the warnings and left some of America's most dangerous diplomatic posts vulnerable to attack, according to an internal government report obtained exclusively by Al Jazeera's Investigative Unit.

The report by an independent panel of five security and intelligence experts describes how the September 11, 2012, attack on the US Special Mission in Benghazi, Libya, which left Ambassador J Christopher Stevens and three other Americans dead, exploited the State Department's failure to address serious security concerns at diplomatic facilities in high-risk areas.

Among the most damning assessments, the panel concluded that the State Department's failure to identify worsening conditions in Libya and exemptions from security regulations at the US Special Mission contributed to the tragedy in Benghazi. Undersecretary for Management Patrick Kennedy approved using Benghazi as a temporary post despite its significant vulnerabilities, according to an internal State Department document included with the report.

The panel cataloged a series of failures by State Department officials to address security issues and concluded that many Foreign Service officers are unclear about who is in charge of security.

Among the problems Sullivan's panel identified in the report:

The State Department's management of its security structure has led to blurred authority and a serious lack of accountability. The undersecretary for management oversees security issues while also handling many other responsibilities. A newly created undersecretary for diplomatic security would allow the State Department to better focus on security issues affecting diplomatic posts around the world, according to the report. Left unaddressed, the control problem "could contribute to future security management failures, such as those that occurred in Benghazi."

The Bureau of Diplomatic Security, the State Department security arm created following the 1983 bombings of the US Embassy and Marine barracks in Beirut, does not have a review process in place to learn from previous security failures. Inexplicably, Diplomatic Security officials never conducted what is known as a "hot wash" debriefing of Benghazi survivors to learn from their experience.

No risk management model exists to determine whether high-threat posts, such as the one in Benghazi, are necessary given the danger to US officials. Risk decisions are made based on "experience and intuition," not established professional guidelines.

None of the five high-risk diplomatic facilities the panel visited in the Middle East and Africa had an intelligence analyst on staff, described as a "critical" need.

Diplomatic security training is inadequate, with no designated facility available to train agents to work at high-risk diplomatic posts.

Even low-risk diplomatic posts are vulnerable. The Obama administration, concerned about potential attacks, ordered the closure of diplomatic posts in the Middle East and North Africa in August 2013. Of the 19 posts closed, only four were designated as high threat.

Sullivan's panel noted that its findings and recommendations are not new to State Department officials. A 1999 report by government contractor Booz Allen Hamilton recommended similar reforms, including an undersecretary for security. Madeleine Albright, then the secretary of state, approved the recommendation - but it was never implemented. "This report," the panel wrote, "was largely ignored by the Department."

Even when the State Department has enacted security reforms, agency officials have failed to comply with them or otherwise have exempted themselves from the new standards, Sullivan's panel determined.

Following the 1983 Beirut bombings, for example, the State Department implemented building safety standards for missions in high-risk areas, which became known as Inman standards, developed by a review panel headed by Bobby R Inman, the former director of the National Security Agency.

"Thirty years later, neither the US Embassy chancery in Beirut nor a significant number of other US diplomatic facilities in areas designated as 'high threat' meet Inman standards," Sullivan's panel wrote.

Security problems at diplomatic posts aren't isolated, the panel said, pointing out that safety concerns can be found at US facilities worldwide. For decades, the State Department has failed to address these vulnerabilities, the panel said, suggesting that Benghazi was a tragedy that might have been avoided.

Security standards exempted

At best, security at the US Special Mission in Benghazi was porous. The mission took lease of a 13-acre walled compound on June 21, 2011, two months before the ouster of Libyan leader Muammar Gaddafi and after the shuttering of the US Embassy in Tripoli due to increased fighting in the capital.

Explosions target Benghazi judicial buildings

Although the State Department reopened the embassy on Sept. 22, 2011, the Special Mission in Benghazi remained open despite serious security concerns. In December 2011, Undersecretary for Management Kennedy approved a one-year extension of the Benghazi post.

A career diplomat, Kennedy was aware of the security problems in Benghazi. The number of Diplomatic Security officers there ranged from five to as few as one, and security was augmented by the February 17 Brigade, a ragtag group of Libyan militants who at the time of the 2012 attack were working under an expired contract and complaining about poor pay and long hours. In addition, the US Special Mission did not have adequate barriers to slow a ground assault.

"Benghazi has demonstrated yet again the vulnerability of US facilities in countries where there is a willingness to protect US interests, but very little capacity to do so," the panel wrote.

The Benghazi post's failure to meet security standards did not prevent its operation. State Department officials effectively waived the security requirements. For years, the State Department has fostered a culture of waiving such requirements when officials choose not to meet them.

"Waivers for not meeting security standards have become commonplace in the Department; however, without a risk management process to identify and implement alternate mitigating measures after a waiver has been given, Department employees, particularly those in high threat areas, could be exposed to an unacceptable level of risk," Sullivan's panel wrote.

The panel added: "It is unlikely that temporary facilities, in areas such as Benghazi, will ever meet Inman standards. The Department therefore identifies missions with special terminology to avoid its own high, but unattainable, standards and then approves waivers to circumvent those standards, thus exposing those serving under Chief of Mission authority to an unacceptable level of risk."

No 'ground truth'

In the six months leading up to the attack in Benghazi, the warning signs were ominous: security in the city had deteriorated and threats against Western officials were increasing.

Inside Story - The battle for security in Libya

From March through August 2012, 20 significant acts of violence occurred, including a homemade explosive device thrown over the wall of the US Special Mission and an attack on the Benghazi International Committee of the Red Cross with rocket-propelled grenades.

On the morning of Sept. 11, 2012, diplomatic security officers issued a report that described Libyan security forces as "too weak to keep the country secure."

Yet no one at the State Department connected the intelligence dots to offer concerns about worsening security in Benghazi. According to Sullivan's panel, this oversight occurred because the Benghazi facility did not have an intelligence analyst on site to determine the "ground truth."

By contrast, the British Foreign and Commonwealth Office and the United Nations employ experienced intelligence analysts in country to identify security concerns from the ground.

Training problems

While documenting security problems, Sullivan's panel said that the Bureau of Diplomatic Security, known as DS, is viewed as the "gold standard" among federal law enforcement and security officials.

The State Department's security arm protects 35,000 US employees worldwide, as well as 70,000 employee family members and up to 45,000 local civilian staff members.

Sullivan's panel viewed additional training of security agents as "critical" to addressing the problems identified in the report. But today the Bureau of Diplomatic Security is having difficulty handling its training load.

The reason: the State Department, unlike other agencies, does not have a designated training facility for security agents. The department is now trying to identify a site near Washington, D.C., on which to build a Foreign Affairs Security Training Center.

Until a center is built, the State Department must continue "begging hat-in-hand for use of others' facilities," the report stated.

"The establishment of such an integrated, state-of-the-art facility is a best practice adopted long ago by the Federal Bureau of Investigation, United States Secret Service, and the Drug Enforcement Administration," the panel wrote.

Repeated security failures

For the State Department, Benghazi became the latest in a long string of security failures. From 1998 to 2012, 273 significant attacks against US diplomatic facilities and personnel occurred.

In 1998, concerned about increasing threats to the embassy in Kenya, Ambassador Prudence Bushnell and the US Department of Defence asked to be moved to a safer building. State Department officials denied the request, citing budgetary concerns.

On August 7, 1998, simultaneous truck bombs exploded at the United States embassies in Dar es Salaam, Tanzania, and Nairobi, Kenya, killing more than 250 people, including 12 Americans.

A State Department review after the attacks found that at least two-thirds of the 262 US diplomatic facilities were so vulnerable to attack that they needed to be rebuilt or relocated.

Ten years after the East Africa bombings, on September 16, 2008, in a diplomatic cable obtained by WikiLeaks, the regional security officer in Sanaa, Yemen, informed his counterparts in Washington about a threat that British officials had intercepted and forwarded.

The threat, written in Arabic, discussed a car bomb targeting American and British interests in Yemen.

The next day, at about 9:15 am, a vehicle with men dressed in military uniforms shot through the gate of the US Embassy in Sanaa and detonated a car bomb. A second car breached the security gates and also exploded.

An al-Qaeda-affiliated group claimed responsibility for the attack, which killed 18 people, including one American.

Four years later, Benghazi happened.

Members of Al Jazeera's Investigative Unit contributed to this report.